Why CMMC?
The DoD estimates that U.S. companies are losing over $600 billion USD each year in intellectual capital to competitors due to lack of any cybersecurity or awareness. Cyber attacks are on the increase and organizations must take action to protect Controlled Unclassified Information (CUI) and improve related cybersecurity processes and controls so important to national defense.
What is DoD’s Goal?
The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and cannot be treated as a “tradeoff” option along with cost, schedule, and performance. The DoD is committed to working with the DIB to enhance the protection of CUI and cyber controls and hygiene within the supply chain using the Cybersecurity Maturity Model Certification (CMMC) framework. CMMC assessments will target, review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced/progressive. For a given CMMC level, the associated controls and processes, when implemented, are designed to reduce risk against a specific set of cyber threats.
The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on a "trust yet verify" approach with respect to DoD cybersecurity requirements. The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels. The intent is for certified independent 3rd party organizations to conduct CMMC assessments on DIB suppliers to improve their cybersecurity capabilities and to inform them on their risks.
Who are the Key Players?
OUSD (A&S) is working with DoD stakeholders, academia, Federally Funded Research and Development Centers (FFRDCs), and industry to develop and then implement the Cybersecurity Maturity Model Certification (CMMC) program. The CMMC Accreditation Body (AB) was established in January, 2020, and the Memorandum of Understanding (MOU) between the DoD and CMMC AB to setup and operate the CMMC program was signed in March. The AB has established numerous working groups to get the initial aspects of the ecosystem in place in Q1 and Q2 of 2020.
ISACA’s Subject Matter Experts, and Certified CMMI Lead Appraisers Ron Lear, and Kevin Schaaff, have been active volunteer members of the CMMC Accreditation Body’s CMMC Assessment Methodology Working Groups since inception. This includes the Assessment Methodology Working Group and the Accelerated Assessment Working Group, which were combined into a single working group in July of 2020. As part of these two critical CMMC AB Working Groups, Mr. Lear and Mr. Schaaff were the primary authors for the current CMMC Assessment Methodology, integrated processes and training content and related materials. Both remain currently active in the WG volunteer activities as the CMMC ecosystem moves into its initial launch phase.
C3PAO Program
The volunteers at the CMMC Accreditation Body have been busy building infrastructure, observing pilot assessments, and delivering training classes with the first set of randomly selected Provisional Assessors. As of this month, the CMMC AB team has observed 5 pilots at defense industrial base (DIB) companies and has trained and certified 52 provisional assessors. The CMMC AB will be running the third and final provisional class later in October which will result in a total of 75 assessors to date.
The Department of Defense (DoD) released an interim rule to supplement Cybersecurity Maturity Model Certification (CMMC) process that will go into effect 30 November.
Learn more at
the Federal Register website.